The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Friday, March 04, 2005

The CEO of ChoicePoint has spoken out in response to the recent incident involving the personal information of 145,000 Americans. He says that the company should have done things differently and that they are no longer providing services to small business because of "the response of consumers who have made it clear to us that they do not approve of sensitive personal data being used without a direct benefit to them." (I wonder if consumers see a direct benefit by their selling information to large business.)

Interestingly, he says he did not become aware of the incident until months after it occurred. This highlights a problem I blogged about a while ago (PIPEDA and Canadian Privacy Law: Handling customer complaints under PIPEDA). Too often, when incidents occur, they are dealt with by lower level employees. Senior management and the directors, who are ultimately responsible for safeguarding personal information, are kept in the dark. What might start as a minor, one-off incident snowballs as further incidents are able to pile up. As we have seen, incidents such as this can have severe repercussions for a company, undermining shareholder value (see the chart on the right, showing CPS share price) and destroying confidence of consumers. Companies that handle personal information need to make sure that all incidents are appropriately escalated to someone who has overall responsibility for the big picture.
From Canadian Business magazine:

ATLANTA (AP) - The embattled data broker ChoicePoint Inc. said Friday that it was suspending sales of consumer information to small businesses, and the company's chief executive said he did not learn of a major breach until several months after it was discovered.

...

CEO Smith told The Associated Press in an interview Friday that he did not personally learn of the breach until late January, though Los Angeles County detectives made their first arrest in the case in October.

"There is no way that a CEO can know everything that is going on as it relates to an operation," Smith said. "I am not involved in the day-to-day operations of the business."

Smith claimed ChoicePoint didn't grasp the magnitude of the breach until this year.

Asked if he would resign over the matter, Smith said, "I have no intention of leaving the company."

...

In an AP interview last week, Smith said "we voluntarily found the breach (in October) and notified law enforcement." He said Friday that he didn't mean to include himself in that reference.

Smith said the decision to halt sales to small businesses follows "the response of consumers who have made it clear to us that they do not approve of sensitive personal data being used without a direct benefit to them."

ChoicePoint's 17,000 small business customers accounted for about five per cent of annual revenue of $900 million. As a result of suspending sales to them, ChoicePoint said it expects a decline in core revenue this year of $15 million to $20 million.

"Clearly what we did over the last week was take a very hard look at our business," Smith said. "To the extent you could rewrite history, we wish we had would have done things differently."

...

A similar breach involving 7,000 to 10,000 ChoicePoint records occurred in 2002 but did not become public until reported by the Los Angeles Times earlier this week.

Please note that I am only able to provide legal advice to clients of my firm. If you have a privacy matter, please contact me about becoming a client. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser may not be protected by solicitor-client privilege.

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Due to professional ethics, the author may not be able to comment on matters in which a client has an interest. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.